Remove IP6Tables rules
- Not needed for the VPN to work
This commit is contained in:
hwdsl2
parent
fa704629f0
commit
f0804e5184
@ -39,13 +39,11 @@ rm -f /etc/init.d/ipsec /lib/systemd/system/ipsec.service
|
|||||||
编辑 `/etc/iptables.rules` 并删除不需要的规则。
|
编辑 `/etc/iptables.rules` 并删除不需要的规则。
|
||||||
你以前的防火墙规则(如果有)会备份在 `/etc/iptables.rules.old-日期-时间`。
|
你以前的防火墙规则(如果有)会备份在 `/etc/iptables.rules.old-日期-时间`。
|
||||||
另外如果文件 `/etc/iptables/rules.v4` 存在,请编辑它。
|
另外如果文件 `/etc/iptables/rules.v4` 存在,请编辑它。
|
||||||
如果使用 IPv6 ,还需编辑 `/etc/ip6tables.rules` 和/或 `/etc/iptables/rules.v6`。
|
|
||||||
|
|
||||||
### CentOS/RHEL
|
### CentOS/RHEL
|
||||||
|
|
||||||
编辑 `/etc/sysconfig/iptables` 并删除不需要的规则。
|
编辑 `/etc/sysconfig/iptables` 并删除不需要的规则。
|
||||||
你以前的防火墙规则(如果有)会备份在 `/etc/sysconfig/iptables.old-日期-时间`。
|
你以前的防火墙规则(如果有)会备份在 `/etc/sysconfig/iptables.old-日期-时间`。
|
||||||
如果使用 IPv6 ,还需编辑 `/etc/sysconfig/ip6tables`。
|
|
||||||
|
|
||||||
## 第四步
|
## 第四步
|
||||||
|
|
||||||
|
|||||||
@ -39,13 +39,11 @@ rm -f /etc/init.d/ipsec /lib/systemd/system/ipsec.service
|
|||||||
Edit `/etc/iptables.rules` and remove unneeded rules.
|
Edit `/etc/iptables.rules` and remove unneeded rules.
|
||||||
Your original rules (if any) are backed up as `/etc/iptables.rules.old-date-time`.
|
Your original rules (if any) are backed up as `/etc/iptables.rules.old-date-time`.
|
||||||
In addition, edit `/etc/iptables/rules.v4` if the file exists.
|
In addition, edit `/etc/iptables/rules.v4` if the file exists.
|
||||||
If using IPv6, also edit `/etc/ip6tables.rules` and/or `/etc/iptables/rules.v6`.
|
|
||||||
|
|
||||||
### CentOS/RHEL
|
### CentOS/RHEL
|
||||||
|
|
||||||
Edit `/etc/sysconfig/iptables` and remove unneeded rules.
|
Edit `/etc/sysconfig/iptables` and remove unneeded rules.
|
||||||
Your original rules (if any) are backed up as `/etc/sysconfig/iptables.old-date-time`.
|
Your original rules (if any) are backed up as `/etc/sysconfig/iptables.old-date-time`.
|
||||||
If using IPv6, also edit `/etc/sysconfig/ip6tables`.
|
|
||||||
|
|
||||||
## Fourth step
|
## Fourth step
|
||||||
|
|
||||||
|
|||||||
31
vpnsetup.sh
31
vpnsetup.sh
@ -392,29 +392,6 @@ if [ -f /etc/iptables/rules.v4 ]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create basic IPv6 rules
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then
|
|
||||||
/bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$sys_dt" 2>/dev/null
|
|
||||||
cat > /etc/ip6tables.rules <<EOF
|
|
||||||
# Added by hwdsl2 VPN script
|
|
||||||
*filter
|
|
||||||
:INPUT ACCEPT [0:0]
|
|
||||||
:FORWARD DROP [0:0]
|
|
||||||
:OUTPUT ACCEPT [0:0]
|
|
||||||
-A INPUT -i lo -j ACCEPT
|
|
||||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
-A INPUT -m rt --rt-type 0 -j DROP
|
|
||||||
-A INPUT -s fe80::/10 -j ACCEPT
|
|
||||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
|
||||||
-A INPUT -j DROP
|
|
||||||
COMMIT
|
|
||||||
EOF
|
|
||||||
if [ -f /etc/iptables/rules.v6 ]; then
|
|
||||||
/bin/cp -f /etc/iptables/rules.v6 "/etc/iptables/rules.v6.old-$sys_dt"
|
|
||||||
/bin/cp -f /etc/ip6tables.rules /etc/iptables/rules.v6
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Load IPTables rules at system boot
|
# Load IPTables rules at system boot
|
||||||
mkdir -p /etc/network/if-pre-up.d
|
mkdir -p /etc/network/if-pre-up.d
|
||||||
cat > /etc/network/if-pre-up.d/iptablesload <<EOF
|
cat > /etc/network/if-pre-up.d/iptablesload <<EOF
|
||||||
@ -423,12 +400,6 @@ iptables-restore < /etc/iptables.rules
|
|||||||
exit 0
|
exit 0
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/network/if-pre-up.d/ip6tablesload <<EOF
|
|
||||||
#!/bin/sh
|
|
||||||
ip6tables-restore < /etc/ip6tables.rules
|
|
||||||
exit 0
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Start services at boot
|
# Start services at boot
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||||
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null
|
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null
|
||||||
@ -450,12 +421,10 @@ sysctl -e -q -p
|
|||||||
# Update file attributes
|
# Update file attributes
|
||||||
chmod +x /etc/rc.local
|
chmod +x /etc/rc.local
|
||||||
chmod +x /etc/network/if-pre-up.d/iptablesload
|
chmod +x /etc/network/if-pre-up.d/iptablesload
|
||||||
chmod +x /etc/network/if-pre-up.d/ip6tablesload
|
|
||||||
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||||
|
|
||||||
# Apply new IPTables rules
|
# Apply new IPTables rules
|
||||||
iptables-restore < /etc/iptables.rules
|
iptables-restore < /etc/iptables.rules
|
||||||
ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1
|
|
||||||
|
|
||||||
# Restart services
|
# Restart services
|
||||||
service fail2ban stop >/dev/null 2>&1
|
service fail2ban stop >/dev/null 2>&1
|
||||||
|
|||||||
@ -146,11 +146,6 @@ yum -y install ppp xl2tpd
|
|||||||
# Install Fail2Ban to protect SSH
|
# Install Fail2Ban to protect SSH
|
||||||
yum -y install fail2ban
|
yum -y install fail2ban
|
||||||
|
|
||||||
# Install IP6Tables
|
|
||||||
if grep -qs "release 6" /etc/redhat-release; then
|
|
||||||
yum -y install iptables-ipv6
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Installed Libevent2
|
# Installed Libevent2
|
||||||
if grep -qs "release 6" /etc/redhat-release; then
|
if grep -qs "release 6" /etc/redhat-release; then
|
||||||
yum -y remove libevent-devel
|
yum -y remove libevent-devel
|
||||||
@ -391,25 +386,6 @@ iptables-save >> /etc/sysconfig/iptables
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create basic IPv6 rules
|
|
||||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then
|
|
||||||
/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$sys_dt" 2>/dev/null
|
|
||||||
cat > /etc/sysconfig/ip6tables <<EOF
|
|
||||||
# Added by hwdsl2 VPN script
|
|
||||||
*filter
|
|
||||||
:INPUT ACCEPT [0:0]
|
|
||||||
:FORWARD DROP [0:0]
|
|
||||||
:OUTPUT ACCEPT [0:0]
|
|
||||||
-A INPUT -i lo -j ACCEPT
|
|
||||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
-A INPUT -m rt --rt-type 0 -j DROP
|
|
||||||
-A INPUT -s fe80::/10 -j ACCEPT
|
|
||||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
|
||||||
-A INPUT -j DROP
|
|
||||||
COMMIT
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create basic Fail2Ban rules
|
# Create basic Fail2Ban rules
|
||||||
if [ ! -f /etc/fail2ban/jail.local ] ; then
|
if [ ! -f /etc/fail2ban/jail.local ] ; then
|
||||||
cat > /etc/fail2ban/jail.local <<EOF
|
cat > /etc/fail2ban/jail.local <<EOF
|
||||||
@ -435,7 +411,6 @@ cat >> /etc/rc.local <<EOF
|
|||||||
|
|
||||||
# Added by hwdsl2 VPN script
|
# Added by hwdsl2 VPN script
|
||||||
iptables-restore < /etc/sysconfig/iptables
|
iptables-restore < /etc/sysconfig/iptables
|
||||||
ip6tables-restore < /etc/sysconfig/ip6tables
|
|
||||||
service fail2ban restart
|
service fail2ban restart
|
||||||
service ipsec start
|
service ipsec start
|
||||||
service xl2tpd start
|
service xl2tpd start
|
||||||
@ -457,7 +432,6 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
|||||||
|
|
||||||
# Apply new IPTables rules
|
# Apply new IPTables rules
|
||||||
iptables-restore < /etc/sysconfig/iptables
|
iptables-restore < /etc/sysconfig/iptables
|
||||||
ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1
|
|
||||||
|
|
||||||
# Restart services
|
# Restart services
|
||||||
service fail2ban stop >/dev/null 2>&1
|
service fail2ban stop >/dev/null 2>&1
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user